Device | Details |
---|---|
Vendor | Oracle |
Device Type | Application |
Connection Type | Syslog |
Data Source Name | oracle-jde |
Data Source ID | 1899 |
# auditconfig -setplugin audit_syslog \ active p_flags=lo,+as,-ss
Note: - p_flags
audit classes must be preselected as either system defaults or specified in the audit flags of a user or a rights profile. Records are not collected for a class that is not preselected. You can instruct the audit service to copy some or all of the audit records in the audit queue to the syslog utility. If you record both binary audit data and text summaries, the binary data provides a complete audit record, while the summaries filter the data for real-time review.
syslog.conf
file. (The entry includes the location of the log file.) # cat /etc/syslog.conf … audit.notice /var/adm/auditlog
# touch /var/adm/auditlog
# chmod 640 /var/adm/auditlog
# svcs system-log STATE STIME FMRI online Nov_27 svc:/system/system-log:default disabled Nov 27 svc:/system/system-log:rsyslog
# svcadm refresh system/system-log:default
# audit -s
# auditconfig -setnaflags lo,na # auditconfig -setflags lo,ss # usermod -K audit_flags=pf:no jdoe # auditconfig -setplugin audit_syslog \ active p_flags=lo,+na,-ss,+pf
The arguments to the auditconfig command instruct the system to collect all login/logout, non-attributable, and change of system state audit records. The audit_syslog plugin entry instructs the syslog utility to collect all logins, successful non-attributable events, and failed changes of system state. The binary utility collects successful and failed calls to the pfexec
command. The syslog utility collects successful calls to the pfexec command.
Note: Regularly archive the syslog log files. The audit service can generate extensive output. To manage the logs, see the logadm man page.
sys1.1 # cat /etc/syslog.conf … audit.notice @<IP_address_of_SheriffCSM>
The audit.notice entry in the syslog.conf file on the remote1 system points to the log file.
remote1 # cat /etc/syslog.conf … audit.notice /var/adm/auditlog